Security experts say all users of all versions of Struts should install the patch as quickly as possible.

"The vulnerability is within the core code of Struts, so doesn't need additional modules to have been enabled," says incident response expert David Stubley, who heads Edinburgh-based security testing firm and consultancy 7 Elements. "Basically, if your configuration matches either of two known conditions, then you would be vulnerable."

To get the fix, users of users of Struts 2.3 need to upgrade to version 2.3.35; users of Struts 2.5 need to upgrade to 2.5.17.

The flaw was discovered by the security research team at Semmle, a San Francisco-based software engineering analytics and code exploration provider.

"The vulnerability has been assigned CVE-2018-11776 (S2-057), is exposed on servers running Struts under certain configurations and can be triggered by visiting a specially crafted URL," Semmle security researcher Man Yue Mo, who found the flaw and reported it to Struts, writes in a blog post.

Semmle reports that the flaw can be exploited by using Object-Graph Navigation Language, which is "a powerful domain-specific language that is used to customize Apache Struts' behavior," to write and submit queries to vulnerable Struts applications.

"Attackers can attack vulnerable applications by injecting their own namespace as a parameter in an HTTP request," Semmle says in its analysis of the flaw. "The value of that parameter is insufficiently validated by the Struts framework, and can be any OGNL string."

The good news: Full details of how to exploit this flaw have yet to become public.

"The Semmle Security Research Team has constructed multiple OGNL payloads and shared details with the Apache Struts team," it says. "At this stage, we are not releasing more details of the exact OGNL strings that trigger this vulnerability and allow remote execution of arbitrary code."

Timeline: Equifax Breach

The Equifax breach demonstrates that Struts users may have days, at most, to patch flaws before attackers attempt to exploit them. In the case of Equifax, the company had failed to install a patch released by Apache on March 6 to fix a flaw, designated CVE-2017-5638. Just four days later, Equifax was hacked by an attacker who exploited the flaw.

This Struts patch and Equifax breach timeline demonstrates just how quickly such flaws may be targeted.

March 9: Equifax issues internal alert, requiring all Struts installations to be updated within 48 hours.

March 10: Hacker exploits the flaw to breach Equifax. Over the next three months, the attacker exfiltrates massive quantities of data.

March 15: Scans run by Equifax's security team fail to flag the vulnerable Struts implementation.

July 29: Equifax discovers the breach.

July 30: Equifax patches the Struts flaw.

Sept. 7: Equifax issues it first public notification about the breach.

Equifax's former CEO, Richard Smith, told a House committee last year that the company's internal policy was to apply all emergency security patches within 48 hours of their being issued. In the case of the Apache Struts patch, the company obviously failed (see Equifax Ex-CEO Blames One Employee For Patch Failures).

In May, Equifax told Congress that based on its latest findings, the breach exposed information on 146.6 million U.S. individuals, as well as 15 million U.K. consumers and 8,000 Canadian consumers.

Apache: Update Struts in Hours or Days

In the wake of reports that Equifax had failed to patch Struts in a timely manner, René Gielen, vice president of Apache Struts, advised all users to ensure they put the appropriate policies and procedures in place, ideally to update their software within hours of a security update being released.

"Establish a process to quickly roll out a security fix release of your software product once supporting frameworks or libraries needs to be updated for security reasons," Gielen wrote. "Best is to think in terms of hours or a few days, not weeks or months. Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years."

Widespread Use of Vulnerable Versions of Struts

Indeed, there's widespread use of vulnerable, outdated versions of Struts, Derek E. Weeks, a DevOps advocate at cybersecurity startup Sonatype, which tracks code used by software developers, reported at the RSA Conference in April, held in San Francisco.

From March 2017 through February 2018, nearly 11,000 organizations downloaded a version of Apache Struts that included known flaws, Weeks said in a presentation titled "We Are All Equifax."

Expert Advice: Stop Using Struts

Some information security experts recommend organizations stop using Struts altogether, for the safety of their networks and data.

Chad Loder, the founder of information security firm Rapid7 who's now CEO of security awareness startup Habitu8, says that based on his extensive data breach investigation experience, organizations should pull the plug on Struts.

I'm lucky enough to have seen lots of non-public details on dozens of high-profile security breaches over the last 15 years. My one takeaway, not a joke - stop using Apache Struts.

"I have to agree," Stubley at 7 Elements tells Information Security Media Group. "My advice would be to migrate to a different technology stack. I've managed numerous incidents where Struts was the vulnerable component that enabled unauthorized access to the underlying server."

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.co.uk, you agree to our use of cookies.